DDoS analysis using correlation coefficient based on Kolmogorov complexity

Abstract

This paper describes an approach to detecting distributed denial of services (DDoS) attacks that is based on Information theory, specifically Kolmogorov Complexity. A theorem derived using principles of Kolmogorov Complexity describes that the joint complexity measure of random strings is lower than the sum of complexities of the individual strings when the strings exhibit some correlation. However, Kolmogorov complexity is not calculable, various methods exist to measure estimates of complexity. In the viewpoint of Kolmogorov complexity, we have found out the characteristics of DDoS attacks after analyzing a lot of DDoS attack cases. We propose a new method to compute the joint complexity using Deep Packet Inspection (DPI). DPI depends on string matching process and regular expression heuristics that make a thorough investigation on the packet payloads in a search for networked application signatures. As ISPs backbone links' speed and data volume increase rapidly, commodity hardware-based DPI systems face performance bottlenecks and the difficulty of scalability, which interferes on traffic classification accuracy dramatically. This paper introduces a lightweight DPI algorithm for an expeditious detection that can detect the presence of a DDoS in the Internet as quickly as possible in order to provide people accurate early warning information and possible reaction time for counteractions. Furthermore, it increases the exactitude of detecting DDoS and doesn't decrease network backbone's performance. © 2013 Springer-Verlag.